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Abstract. Nakano’s “later” modality, inspired by Godel-Lob provabil¬ 
ity logic, has been applied in type systems and program logics to capture 
guarded recursion. Birkedal et al modelled this modality via the internal 
logic of the topos of trees. We show that the semantics of the proposi¬ 
tional fragment of this logic can be given by linear converse-well-founded 
intuitionistic Kripke frames, so this logic is a marriage of the intuition- 
istic modal logic KM and the intermediate logic LC. We therefore call 
this logic KMii„. We give a sound and cut-free complete sequent calcu¬ 
lus for KMii„ via a strategy that decomposes implication into its static 
and irreflexive components. Our calculus provides deterministic and ter¬ 
minating backward proof-search, yields decidability of the logic and the 
coNP-completeness of its validity problem. Our calculus and decision 
procedure can be restricted to drop linearity and hence capture KM. 


1 Introduction 

Guarded recursion [lOj on an infinite data structure requires that recursive calls 
be nested beneath constructors. For example, a stream of zeros can be defined 
with the self-reference guarded by the cons: 

zeros = 0 : zeros 

Such equations have unique solutions and are productive: they compute arbi¬ 
trarily large prefixes of the infinite structure in finite time, a useful property in 
lazy programming. 

Syntactic checks do not always play well with higher-order functions; the 
insight of Nakano [50] is that guarded recursion can be enforced through the 
type system via an ‘approximation modality’ inspired by G6del-L6b provability 
logic [Tj. We follow Appel et al [I] and call this modality later, and use the 
symbol O. The meaning of >r is roughly ‘r one computation step later’. Type 
definitions must have their self-reference guarded by later. For example streams 
of integers, which we perhaps expect to be defined as Stream = Z x Stream, 
are instead 

Stream = Z x \>Stream 

Nakano showed that versions of Curry’s fixed-point combinator Y, and Turing’s 
hxed-point combinator likewise, can be typed by the strong Lob axiom (see |23j l 

(>T t) ^ T (1) 
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Returning to our example, Y can be applied to the function 
Aa;.(0,a:) : \>Stream —>• Z x \>Stream 
to define the stream of zeros. 

Nakano’s modality was popularised by the typing discipline for intermediate 
and assembly languages of Appel et al [T], where for certain ‘necessary’ types a 
‘Lob rule’ applies which correlates to the strong Lob axiom O- The modality has 
since been applied in a wide range of ways; a non-exhaustive but representative 
list follows. As a type constructor, l> appears in Rowe’s type system for Feath¬ 
erweight Java [29], the kind system of the System F extension FORK [ZD, and 
in types for functional reactive programming m. with applications to graphical 
user interfaces [20]. As a logical connective, O was married to separation logic 
in [18], then to higher-order separation logic in [2], and to step-indexed logi¬ 
cal relations for reasoning about programming languages with LSLR [12] . Thus 
Nakano’s modality is important in various applications in computer science. 

We have so far been coy on precisely what the logic of later is, beyond posit¬ 
ing that O is a modality obeying the strong Lob axiom. Nakano cited G6del-L6b 
provability logic as inspiration, but this is a classical modal logic with the weak 
Lob axiom □(□r —>■ t) —>■ Dt, whereas we desire intuitionistic implication and 
the stronger axiom ©■ In fact there does exist a tradition of intuitionistic ana¬ 
logues of G6del-L6b logic [23], of which Nakano seemed mainly unaware; we will 
see that logic with later can partly be understood through this tradition. In the 
computer science literature it has been most common to leave proof theory and 
search implicit and fix some concrete semantics; for example see Appel et al’s 
Kripke semantics of stores [T] . A more abstract and general model can be given 
via the internal logic of the topos of trees S [4] . This was shown to generalise sev¬ 
eral previous models for logic with later, such as the ultrametric spaces of mu. 
and provides the basis for a rich theory of dependent types. We hence take the 
internal logic of 5 as a prominent and useful model of logic with later, in which 
we can study proof theory and proof search. 

In this paper we look at the propositional-modal core of the internal logic of 
S. This fragment will be seen to have semantics in linear intuitionistic Kripke 
frames whose reflexive reduction is converse-well-founded. Linear intuitionistic 
frames are known to be captured by the intermediate logic Dummett’s LC [5]; the 
validity of the LG axiom in the topos of trees was first observed by Litak [22] . In¬ 
tuitionistic frames with converse-well-founded reflexive reduction are captured 
by the intuitionistic modal logic KM, first called [25]. Hence the internal 
propositional modal logic of the topos of trees is semantically exactly their com¬ 
bination, which we call KMun (Litak [231 Thm. 50] has subsequently confirmed 
this relationship at the level of Hilbert axioms also). 

Our specific contribution is to give a sound and cut-free complete sequent 
calculus for KM^n, and by restriction for KM also, supporting terminating back¬ 
wards proof search and hence yielding the decidability and finite model property 
of these logics. Our sequent calculus also establishes the coNP-completeness of 
deciding validity in KMun. 
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To our knowledge sequent calculi for intuitionistic G6del-L6b logics, let alone 
KM or KMiin, have not before been investigated, but such proof systems pro¬ 
vide a solid foundation for proving results such as decidability, complexity, and 
interpolation, and given an appropriate link between calculus and semantics can 
provide explicit, usually finite, counter-models falsifying given non-theorems. 

The main technical novelty of our sequent calculus is that we leverage the fact 
that the intutionistic accessibility relation is the reflexive closure of the modal 
relation, by decomposing implication into a static (classical) component and a 
dynamic ‘irreflexive implication’ —» that looks forward along the modal relation. 
In fact, this irreflexive implication obviates the need for l> entirely, as is 
easily seen to be equivalent to T —» i^. Semantically the converse of this applies 
also, as (p -» 'i/' is semantically equivalent to >((p —>■ ■i/'jl, but the -» connective 
is a necessary part of our calculus. We maintain [> as a first-class connective in 
deference to the computer science applications and logic traditions from which 
we draw, but note that formulae of the form l>((^ —>■ ^p) are common in the 
literature - see Nakano’s (—>■ E) rule [26], and even more directly Birkedal and 
Mpgelberg’s ® constructor. We therefore suspect that treating -» as a first-class 
connective could be a conceptually fruitful side-benefit of our work. 


2 Prom the Topos of Trees to Kripke Frames 


In this section we outline the topos of trees model and its internal logic, and 
show that this logic can be described semantically by conditions on intuitionis¬ 
tic Kripke frames. Therefore after this section we discard category theory and 
proceed with reference to Kripke frames alone. 

The topos of trees, written 5, is the category of presheaves on the first infinite 
ordinal ui (with objects 1,2,..., rather than starting at 0, in keeping with the 
relevant literature). Concretely an object A is a pair of a family of sets Ai indexed 
by the positive integers, and a family of restrietion functions rf : Ai+i —>■ Ai 
indexed similarly. An arrow / : A —^ B is a family of functions fi : Ai ^ Bi 
indexed similarly, subject to naturality, i.e. all squares below commute: 





Bj t- 


■A 


j+i 


/i+i 

— B 




Two iS-objects are of particular interest: the terminal object 1 has singletons as 
component sets and identities as restriction functions; the subobject classifier f] 
has fij = {0,..., j} and ujj(k) = min{j, k). We regard the positive integers as 
worlds and functions a: : 1 —>■ 17 as truth values over these worlds, by considering 
X true at j iff Xj = j. Such an x is constrained by naturality to have one of three 
forms: Xj = j for all j {true everywhere)] Xj = 0 for all j {true nowhere)] or 


® This in turn is equivalent in KM^n (but is not in KM) to >ip —>■ l>^ [261 Sec. 3]. 
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given any positive integer k, Xj is k for all j > fc, and is j for all j < k {becomes 
true at world k, remains true at all lesser worlds). As such the truth values can 
be identified with the set N U {c»}, where oo captures ‘true everywhere’. 
Formulae of the internal logic of S are defined as 


Lp p \ T \ L \ ip A i.p \ i.p y ip \ ip ^ ip \ ip ^ i.p \ \>ip 


where p £ Atm is an atomic formula. Negation may be defined as usual as 
(/?—>■ _L. The connective —read as irreflexive implication, is not in Birkedal et 
al [4] but is critical to the sequent calculus of this paper; readers may view —» as 
a second-class connective generated and then disposed of by our proof system, 
or as a novel first-class connective, as they prefer. 

Given a map p from propositional variables p £ Atm to arrows p{p) : 1 —^ 17, 
and a positive integer j, the Kripke-Joyal forcing semantics for <S are defined by 


p,j \\-p 

VJ 11- T 
VJ II" -L 

p,j (p A tjj 
p,j\\- if Vtjj 

?7> j II" V? -t V’ 

p,j\\- if 
77 , j Ih txp 


iff p{p)j = j 

always 

never 

iff p,j Ih ip and p,j Ih t/j 

iff p,j Ih ip or 77 , J Ih 7 /) 

iff yk < j. p,k \\- ip implies p,k \\- tjj 

iff yk < j. n.k \\- ip implies n.k \\- tb 

iff V/fc < j. p,k\bip 


A formula ip is valid if 77 , j Ih ip for all 77 , 7 /. Note that ^ 7/1 is equivalent to 
l >((/3 — > tp)i Slid \>ip is equivalent to T —»■ ip. While implication -A can be seen as 
a conjunction of static and irreflexive components: 


7 / Ih tp —>■ 7 /) iff (j Ih ip implies j Ih 7 />) and j \\- ip ^ (2) 

it is not definable from the other connectives, because we have no static (that is, 
classical) implication. However our sequent calculus will effectively capture ([2|). 

We now turn to Kripke frame semantics. Kripke semantics for intuitionistic 
modal logics are usually defined via bi-relational frames {W, i?^, i?n), where 
and are binary relations on W, with certain interaction conditions ensuring 
that modal formulae persist along the intuitionistic relation [32] . However for KM 
and KMjin, the intuitionistic relation is definable in terms of the box relation, 
and so only the latter relation need be explicitly given to define a frame: 

Definition 2.1. A frame is a pair {W,R) where W is a non-empty set and R a 
binary relation onW.A KM-frame has R transitive and converse-well-founded, 
i.e. there is no infinite sequence X 1 RX 2 RX 3 R ■ ■ ■. A KM/i„-frame is a KM-frame 
with R also connected, i.e. yx,y € W. x = y or R{x,y) or R{y,x). 

Converse-well-foundedness implies irrefiexivity. Also, KM- and KM/i„-frames 
may be infinite because non-well-founded chains ■ • ■ Rw^Rw 2 Rwi are permitted. 

Given a binary relation i?, let R^ be its reflexive closure. If (W, R) is a KM- 
frame then {W,R^) is reflexive and transitive so provides frame semantics for 
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intuitionistic logic. In fact frames arising in this way in general satisfy only the 
theorems of intuitionistic logic, so KM is conservative over intuitionistic logic. 
In other words, the usual propositional connectives are too coarse to detect the 
converse well-foundedness of a frame; for that we need [> and the strong Lob 
axiom (HD- Similarly the reflexive closure of a KM/i„-frame is a linear relation 
and so gives semantics for the logic LC, over which KMji„ is conservative. 

A model (IK, R, d) consists of a frame (IK, R) and a valuation d : Atm i—5> 2^ 
obeying persistence: 


if ru S d(p) and wRx then x € 'd{p) 


We hence define KM- and KM^n-models by the relevant frame conditions. 

We can now dehne when a KM- or KMim-model M = (W, R, d) makes a 
formula true at a world w & with obvious cases T, _L, A, V omitted: 


M, w \\~ p 
M, w \\- ip ^ Ip 
M, w \\- Lp ^ Ip 
M, w Ih \>p 


iff w S d{p) 

iff 'ix. wR^x and M, x\\- p implies M, x\\- ip 
iff \/x. wRx and M, x\\- p implies M, x \\- ip 
iff \/x. wRx implies M, x\\- p 


Thus > is the usual modal box. As usual for intuitionistic logic, we have a 
monotonicity lemma, provable by induction on the formation of p: 

Lemma 2.2 (Monotonicity). If M,w Ih p and wRv then M,v Ih p. 

Fixing a class of models (KM- or KMii„-), a formula p is valid if for every 
world w in every model M we have M, w Ih p. It is easy to observe that the two 
semantics presented above coincide, given the right choice of frame conditions: 

Theorem 2.3. Formula p is valid in the internal logic of S iff it is YRAun-valid. 


3 The Sequent Calculus SKM^n for 

A sequent is an expression of the form F \- A where F and A are finite, possibly 
empty, sets of formulae with F the antecedent and Z\ the succedent. We write 
F, p for TU{(/3}. Our sequents are “multiple-conclusioned” since the succedent A 
is a finite set rather than a single formula as in “single-conclusioned” sequents. 

A sequent derivation is a finite tree of sequents where each internal node is 
obtained from its parents by instantiating a rule. The root of a derivation is the 
end-sequent. A sequent derivation is a proof if all the leaves are zero-premise 
rules. A rule may require extra side-conditions for its (backward) application. 

The sequent calculus SKM^n is shown in Fig. [U where F, A, F, 0, and S, 
with superscripts and/or subscripts, are finite, possibly empty, sets of formulae. 

Rules TR, TL, id, VL, VR, AL, AR are standard for a multiple-conclusioned 
calculus for Int m- Rules —^-L and —^R can be seen as branching on a conjunction 
of static and an irreflexive implication: see equation ©■ The occurrence ofp —n ip 
in the right premise of —^-L is redundant, since ip implies p —»■ ip, but its presence 
makes our termination argument simpler. 
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TR 


r h T,z\ 


id 


r,tp'r ip, A 


VL 

AL 


r,p'r A r,'tl)'r A 
r, p w tp \- A 

r,p,ip\- A 
r,p Alp A 


VR 

ar 


r,±\- A 

r\- p,ip,A 
r \- p v ip, A 

r\-p,A r\-ip,A 
r \- p Aip, A 




r,p ^ ip p, A r, p ^ ip,ip \- A 
r,p ip \- A 


^R 


r, p \- ip, A r \- p ^ ip, A 
r p ^ ip, A 


STEP ■ 


Prertii 


Premfc Premfc+i 


Premfc+„ 


h A^,<P^,Sr 


■t 


Premi<i<fc = Ei,0,&^, ,pi ^ ipi,Pi h ipi,A~^i,<P 

Premfc+i<i<fe+„ = Ei,0,0^, ,\>(pi-k P 


0^ = l>0i, ■ • ■, t>Oj 

F^ = {ai P\, - ■ ■ ,ai ^ /?i} 

A~* = {if\ ^ ipi, - ■ ■ ,pk ^ ipk} 
AFi = Z\^ \ {pi ^ iPi} 


0 = 0\, - ■ ■ ,9j 

F^ = {ai -A pii, - ■ ■ ,ai —>■ Pi} 
A~^ = {ifi -A ipi, - ■ ■ ,pk ^ ipk} 

<P = (pi, - ■ ■ ,(pn 


where f means that the conditions CO, Cl and C2 below must hold 
(CO) U / 0 

(Cl) ± ^ Ti and T ^ Er and (Ei U 0^ U F^) n (Z\^ U U T,) = 0 
(C2) El and Er each contain atomic formulae only 

Explanations for the conditions: 

(CO) there must be at least one l>- or ^-formula in the succedent of the conclusion 

(Cl) none of the rules _LL, TR, id are applicable to the conclusion 

(C2) none of the rules VL,, VR, AL, AR, —>-L, —>-R are applicable to the conclusion 


Fig. 1. Rules for sequent calculus SKMii„ 


The rule step resembles Sonobe’s multi-premise rule for in LC |30lllj . 
but its interplay of static and dynamic connectives allows us to capture the 
converse-well-foundedness of our frames. The reader may like to skip forward to 
compare it to the rules for KM in Fig. |4l which are simpler because they do not 
have to deal with linearity. Condition CO is essential for soundness; Cl and C2 
are not, but ensure that the step rule is applicable only if no other rules are 
applicable (upwards), which is necessary for semantic invertibility (Lem. 15^.111) . 
Note that the formulae in 0^ appear intact in the antecedent of every premise. 
This is not essential as 0 implies 0^, but will simplify our proof of completeness. 
In constrast the formulae in do not appear in the succedent of any premise. 
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-mp 

(l>p —^ p) —>■ p, l>p —^ p, >p h p 

_ STEP _ 

([>p p) p, l>p -» p h [>p,p (l>p —>■ p) p, Op 

(op —>■ p) “» p, Op —^ p h p 

-;--- STEP 

h (op p) -» p 


p,p\-p 


id 


Op p, Op h p 
Op ^ p h Op, p 


mp 

STEP 


Op -» p,p h p 


Op —^ p h p 


id 

■ -^L 


h (op p) p 


h (op ->■ p) -!► p 

Fig. 2. SKMiin proof of the strong Lob axiom 

■id 


>R 


p ^ q,p,q\- p,q 


id 


P P 

p^ q,p\- q,q ^ p 


p ^ q,p\- q,q ^ p 


STEP 

-s-R 


Symmetric to left 
q ^ p,q\- p,p ^ q 


\- p ^ q,q ^ p 


STEP 


■ id 


■id 


-^Pl^lt^STEP ^l^^lili±±STEP , 

PiQ' Q_’,p P'Q.’:Q.^P Q.'P’:P~^Q. \~ p q^q ^ p 

- ^R -;-—^R 


p\-q,q^p 


h p -» qr, g -)■ p 


|-p->-q,q^p 


^R 


VR 


hp—^■qVq—>p 
Fig. 3. SKMiira proof of the LC axiom 


Also, the formulae in Er do not appear in the succedent of any premise. So step 
contains two aspects of weakening, but C2 ensures this is not done prematurely. 
Figs. [Hand [3] give example proofs, using the following derived rnle: 

Lemma 3.1. The Modus Ponens rules mp is derivable in SKM/i„ as follows: 
Proof. 

^ ip\- ip,ip r,(p,:p ^ 

r,(p,ip ^ ijj\- tp 


3.1 Soundness of SKMji„ 

Given a world w in some model M, and finite sets P and A of formulae, we 
write w Ih F if every formula in P is true at w in model M and write w \j^ A ii 
every formula in A is not true at w in model M. 

A sequent F h Z\ is refutable if there exists a model M and a world w in 
that model such that w Ih F and w\y- A. A sequent is valid if it is not refutable. 
A rule is sound if some premise is refutable whenever the conclusion is refutable. 






























A rule is semantically invertible if the conclusion is refutable whenever some 
premise is refutable. Given a model M and a formula ip, a world w is a refuter 
for Lp if M, w Ij^ ip. It is a last refuter for p if in addition M, w Ih \>p. An 
eventuality is a formula of the form ^ or \>p in the succedent of the 

conclusion of an application of the rule step. 

Lemma 3.2. In every model, every formula p with a refuter has a last refuter. 

Proof. Suppose p has refuter w in model M , i.e. M, w If- p. If all i?-successors v 
of w have v \\- p then w Ih [>p, and so w is the last refuter we seek. Else pick any 
successor v such that M, v Ijl p and repeat the argument replacing w with v. By 
converse well-foundedness this can only be done finitely often before reaching a 
world with no i?-successors, which vacuously satisfies l>p. 

Theorem 3.3 (Soundness), //h p is SKMun-derivable then p is KMun-valid. 
Proof. We consider only the non-standard rules. 

—J-R: Suppose the conclusion r\-p^ip,Ais refutable at w in model M. Thus 
some i?^-successor v oiw refutes p ^ if via M, v Ih and M, v If- if. liv = w 
then w refutes the left premise r,p h if , A. Else wRv and M, w If- p ^ if , 
so w refutes the right premise r\-p^if,A. 

— >L: Suppose the conclusion r,p ^ if \- A is refuted at w. Hence w Ih T and 
w \\- p ^ if and w If- A. Thus wll-p—»if.Ifwll-if then w refutes the 
right premise P,p —» if, if h A. Else w If if and so we must have w If p 
since we already know that w \\- p ^ if. Thus w refutes the left premise 

r,p ^ if \- p, A. 

STEP: Assume that Ei,0^,r^ h A'^,<I>^, Ej. is refutable. That is, there is 
some model M and some world w such that M, w Ih Ei and M, w Ih and 

M, w Ih P^ but M, w If A^ and M, w If and M, w If Er. 

Thus each Xxfi G <I>^ and each pi -» ifi € A~^ has a last refuter, which 

may be w itself. But then, each fi £ and each pi ^ ifi € A^, has a last 

refuter which is a strict successor of w. Erom this set of strict successors of 
w, choose the refuter v that is closest to w in the linear order. 

Since wRv, we must have M,v Ih Ei and M,v Ih 0 and M,v Ih and 
M, V Ih P^, giving that M, v Ih Ei,0, 0^,r^. 

If V is the last refuter for some pi^ifiG A~^ , we must have M, v\\-pi and 
M, V If ifi and M, v \\- pi ^ ifi. We must also have M, v If since the last 
refuter for each fi £ <1 cannot strictly precede v, by our choice of v. Eor the 
same reason, we must have M, v If pj —>■ ifj for every I < j i < k, giving 
M,v \f A~f^. Thus V refutes the premise Prem^ = Ei, P^,0,0^ , pi 
ifi, Pi h ifi,A~^^,<P. 

If V is the last refuter for some fn £ !>, we must have both M, v \f (fi and 
M,v Ih \>(fi. Since v is the closest last refuter to w in the linear order, the 
last refuters for the other formulae in <I> cannot strictly precede v. Hence 
for each 1 < j i < n, we must have M, v \f (fj for each (fj £ (p, hence 
M,v If (p. Moreover, for the same reason, we must have M,v If pj -£ ifj, 
where 1 < j < fc, for each pj ifj £ A^ , hence M,v If A~*'. That is, v 
refutes the (k -h i)-th premise Prem^+i = Ei,0, 0^,r^, t>(fi h A~^,(p. 
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3.2 Terminating backward proof search 

In this section we describe how to systematically find derivations using backward 
proof search. To this end, we divide the rules into three sets as follows: 

Termination Rules: the rules id, _LL, TR 
Static Rules: the rules ^L, —^-R, VL, VR, AL, AR 
Transitional Rule: step. 

The proof search strategy below starts at the leaf (end-sequent) Tq \- Aq: 

while some rule is applicable to a leaf sequent do 

stop: apply any applicable termination rule to that leaf 
saturate: else apply any applicable static rule to that leaf 
transition: else apply the transitional rule to that leaf 

The phase where only static rules are applied is called the saturation phase. 
The only non-determinism in our procedure is the choice of static rule when many 
static rules are applicable, but as we shall see later, any choice suffices. Note that 
conditions Cl and C2 actually force step to have lowest priority. 

Let sf{(p) be the set of subformulae of (p, including ip itself and let m be the 
length of ip. Let cl{p) = sf{p) U {■0i ip 2 \ V'l '02 G sf{p)}. 

Proposition 3.4. The (backward) saturation phase terminates for any sequent. 

Proof. Each rule either: removes a connective; or removes a formula completely; 
or replaces a formula p ^ ip with p —» to which no static rule can be applied. 

Given our strategy (and condition Cl), we know that the conclusion of the 
STEP rule will never be an instance of id, hence p ^ ip or [>p is only an eventu¬ 
ality when an occurrence of it does not already appear in the antecedent of the 
conclusion of the step rule in question. 

Proposition 3.5. For all rules, the formulae in the premise succedents are sub¬ 
formulae of formulae in the conclusion, or are -^-formulae created from 
formulae in the conclusion succedent: we never create new eventualities upwards. 

Proposition 3.6. Any application of the rule step has strictly fewer eventual¬ 
ities in each premise, than in its conclusion. 

Proof. For each premise, an eventuality \>p crosses from the succedent of the con¬ 
clusion to the antecedent of that premise and appears in all higher antecedents, 
or an eventuality p ^ ip from the succedent of the conclusion turns into p ^ ip 
in the antecedent of the premise and this p ^ ip turns back into p ^ ip via 
saturation, meaning that the eventuality {l>p or p —» ip) cannot reappear in the 
succedent of some higher saturated sequent without creating an instance of id. 

Theorem 3.7. Backward proof search terminates. 
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Proof. By Prop. each saturation phase terminates, so the only way a branch 
can be infinite is via an infinite number of applications of the step rule. But by 
Prop. IXHl each such application reduces the number of eventualities of the branch, 
and by Prop. 13.51 no rule creates new eventualities. Thus we must eventually 
reach a saturated sequent to which no rule is applicable, or reach an instance of 
a termination rule. Either way, proof search terminates. 

Proposition 3.8. Given an end-sequent Iq 1“ the maximum number of 
different eventualities is the sum of the lengths of the formula in Pq U Aq . 

Proof. Each eventuality \>ip is a subformula of the end-sequent, and each even¬ 
tuality if —» is created from a subformula Lp ^ tf which is also a subformula 
of the end-sequent or is a subformula of the end-sequent. 

Corollary 3.9. Any branch of our proof-search procedure for end-sequent Pq h 
Aq contains at most I applications of the step rule, where I is the sum of the 
lengths of the formulae in Pq U Aq . 

3.3 Cut-free Completeness Without Backtracking 

The rules of our sequent calculus, when used according to conditions CO, Cl, 
and C2, can be shown to preserve validity upwards as follows. 

Lemma 3.10 (Semantic Invertibility). All static rules are semantically in¬ 
vertible: if some premise is refutable then so is the conclusion. 

Proof. Again, we consider only the non-standard rules. 

—>R: Suppose the right premise P \- (p —» ip, A is refuted at w. Then so is the 
conclusion P \- p ^ ip, A since p ^ ip implies p ^ ip. 

Suppose that the left premise r,p \- ip, A is refutable at w. Then the con¬ 
clusion is also refutable at w since w \)f A and w if p ^ ip. 

—>L: Suppose the right premise r,p ^ ip, ip \- A is refuted by w. Then so is the 
conclusion r,p ^ ip \- A since ip implies p ^ ip. Suppose the left premise 
r, p ^ Ip \- p, A is refuted by w. Since w If p and w \\- p -» ip, we must 
have w \h p ^ Ip. But w If A, hence it refutes the conclusion. 

For a given conclusion instance of the step rule, we have already seen that 
conditions CO, Cl and C2 guarantee that there is at least one eventuality in 
the succedent, that no termination rule is applicable, that the conclusion is 
saturated, and that no eventuality in the succedent of the conclusion is ignored. 

Lemma 3.11. The rule step (with CO, Cl and C2) is semantically invertible. 

Proof. Suppose some premise is refutable. That is, 

1. for some 1 < i < k there exists a model Mi = {Wi,Ri,'di) and wi € Wi 
such that Mi,wi Ih Si, 0, 0^, P^, pi -» ipi, pi and Mi,wi If ipi, A~f^, or 
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2. for some k-\-\<i<k + n there exists a model M2 = (hh 2 ,-R 2 ,'d 2 ) and 

W2 € W 2 such that M2, W2 Ih Si, 0, 0^ ,r^, t>(j)i-k and M2, W2 1/ 

I < i < k: We must show there is some model M containing a world wq such 
that M,wo Ih Si,0^,r^ and M,wq \Y A~*,Er. We do this by taking the 
submodel generated by rci, adding an extra world wq as a predecessor of wi, 
letting Wq reach every world reachable from wi, and setting every member of Ei 
to be true at wq. 

We formally define M by: W = {w & Wi \ wiRiw} U {wqjWi}; R = 
{(u, ic) e i?i \ V & W,w & W} U {{wo,w) I re e W \ {wq}}; for every atomic 
formula p and for every w G W \ {wo}; let w G 'd{p) iff li; G '&i{p) and put 
Wo G d{p) iff p G El. 

By simultaneous induction on the size of any formula it follows that for 
every world ic icq in W, we have Mi,w Ih ^ iff M, w Ih 

We have M,wq I/- E^ by definition (since its intersection with Ei is empty). 
We have M,wo Ih 0'^ since Mi,wi Ih 0 implies M,wi Ih 0, and we know that 
wqRwi. Similarly, we have M,wq Ih since wqRwi and Mi,wi Ih . Since 
Mi,wi Ih Pi and Mi,wi l)h -0^, we must have M,wo Pi ipi as desired. 
Together with Mi,wi \y A~^i, we have M,wo IK A^ . Finally, since Mi,wi 1^ R, 
we must have M,wo IK ■ Collecting everything together, we have M,wo Ih 
El , 0^ , and M,wo IK A~* ,<P^,Er as desired. 

The case fc + l<i<fc + n follows similarly. 

Theorem 3.12. If the sequent h po is not derivable using the rules of Fig. [7] 
according to our proof-search strategy then po is not KMun-valid. 

Proof. Suppose h po is not derivable using our systematic backward proof 
search procedure. Thus our procedure gives a finite tree with at least one leaf 
Ei,r^, 0^ h Er obeying both Cl and C2 to which no rules are applicable. 

Construct Mq = {Wo,Ro, -do) as follows: let Wq = {wo}; let Rq — 0; and wq G 
'do(p) iff p G El. Clearly, we have Mq, wq 11“ Ei by definition. Also, Mo,wo IK Er 
since its intersection with Ei is empty by Cl. Every formula a ft G r~* and 
\>9 £ 0^ is vacuously true at wq in Mq since wq has no strict successors. Thus 
the leaf sequent Ei,r^, 0^ h Er is refuted by wq in model Mq. The Invertibility 
Lemmas 13.101 and 13.111 now imply that h po is refutable in some KM;i„-model. 

Corollary 3.13 (Completeness). If p is YAAun-valid then \- p is SKM^n- 
derivable. 

Cor. l3.13l guarantees that any sound rule can be added to our calculus without 
increasing the set of provable end-sequents, including both forms of cut below: 

r£p,A r,p\-A r,£p,A r',p£A' 

TTa r,r' h A, A' 

Since all static rules are semantically invertible, any order of rule applications 
for saturation suffices. Since all rules are invertible we never need backtracking. 
That is, our strategy straightfowardly yields a deeision procedure. It also tells us 
that KMiin, like its parent logics KM and LC, enjoys the finite model property: 
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Theorem 3.14. If ip is not KIAiin-valid then it is refutable in a rooted (finite) 
KMiin-model of length at most I + 1 where I is the length of ip. 

Proof Suppose that ip is not valid: that is, ip is refuted by some world in some 
KMjin model. By soundness Thm. [?751 h ip is not derivable using our proof-search 
strategy. In particular, in any branch, there can be at most I applications of the 
rule STEP by Cor. 13.91 From such a branch, completeness Thm. 13.121 allows us 
to construct a model M and a world w which refutes ip. But the model M we 
constuct in the completeness proof is a rooted (finite) KM;i„-model with at most 
I +1 worlds since the only rule that creates new worlds is the (transitional) step 
rule and there are at most I such rule applications in any branch. 

Corollary 3.15. KMii„ has the finite model property. 

3.4 Complexity 

We first embed classical propositional logic into KM^™. 

Lemma 3.16. If ip is a formula built out of atomic formulae, T and _L using 
only the connectives A, V, -A, and the sequent h (i^ —> _L) —>■ _L is derivable, then 
if is a tautology of classical propositional logic. 

Proof. Any derivation in our systematic proof search procedure ends as: 

V? ^ _L h V?,_L 

ip ^ L 

F (v? ^ ±) ^ _L 
Thus, the sequent (p ^ _L F tp, _L is derivable. 

Soundness Thm. 1^751 then implies that this sequent is valid on all models. In 
particular, it is valid on the class of single-pointed models M = {W, R, d) where 
W = {rco} and R = %. The formula (/? -» _L is true at wq vacuously since u>o 
has no i?-successor. The formula _L is not true in any model, including this one, 
hence M, wq If- _L. Thus M, wo IF ip. That is, ip itself is valid on all single-pointed 
models. But such a model is just a valuation of classical propositional logic. 

Lemma 3.17. If ip is a formula built out of atomic formulae, T and _L using 
only the connectives A, V, -A, and the sequent F ((/? ^ _L) —)• _L is not derivable, 
then ip is not a tautology of classical propositional logic. 

Proof. Suppose F (</?—)• _L) —>■ _L is not derivable. Then, by Thm. 13.121 {(p —>• 
±) —>■ _L is not KM/in-valid. Thus, there is a finite linear model M = (W,R,'d) 
with root world wq &W such that M, ivo If {ip ^ 1) ^ -L. Thus there is a world 
v such that wqR^v and M,v Ih (/? —>■ _L, which implies that every i?^-succesor 
of v, including a world u (say) with no i?-successors, makes ip false. But such 
a final world u is just a valuation of classical propositional logic, thus there is 
a model of classical propositional logic which makes ip false. That is, ip is not a 
tautology of classical propositional logic. 








13 


Lemma 3.18. There is a non-deterministic algorithm to test the refutability 
(non-validity) of the sequent \- ip in time polynomial in the length of p. 

Proof. Let I be the length of p, and recall the definitions of sf{p) and cl{p) 
given earlier. The number of formulae in cl{p) is at most 21 and the size of each 
sequent our calculus builds is bounded by 4/^, since each formula of length at 
most I could appear in the antecedent or the succedent or both. 

Let Pi Ai, ■ • • , Tfe h Z\fe be a sequence of length k = l^ oi sequents, where 
each sequent is built out of formulae from cl{p). Check whether this sequence 
forms a branch of legal rule applications, none of which is the rule id, and check 
whether no rule is applicable to the sequent Pk h Ak- If so, then the sequent h p 
is refutable (non-valid). 

It remains to show that this (non-deterministic) algorithm requires time 
which is polynomial in the length I of p. 

Every saturation phase is of length at most I since each rule removes a con¬ 
nective. In any branch, there can be at most I applications of the rule step since 
each eventuality which is principal in such a rule application moves into the an¬ 
tecedent of the appropriate premise and hence cannot reappear without leading 
to an instance of id. Thus every branch in any putative derivation of h is of 
length at most k = P. Since each sequent is of length at most 4Z^, our procedure 
requires at most 4Z^ operations. That is, it can be done in time polynomial in 
the length of the given end-sequent. 

Corollary 3.19. The validity problem for KMnn is coNP-complete. 

Proof. By Lem. 13.161 we can faithfully embed the validity problem for classical 
propositional logic into KMun , hence it is at least as hard as checking validity in 
classical propositional logic (coNP). By Lem. 13.1^ we can non-deterministically 
check non-validity of a given formula in time at most polynomial in its size. 

4 Terminating Proof Search for KM 

This section turns to logic KM, for which models need not be linear. One might 
expect that KM, which is conservative over Int, would require single-conclusioned 
sequents only, but KM-theorems such as the axiom [>(/?—>■ {ip W (ip p)) (see 
Litak [23) 1 seem to require multiple conclusions. As such our calculus will resem¬ 
ble that for KMii„. The static rules will be those of KM;irt, but the transitional 
rule STEP of KMiin is now replaced by rules ^ R and oR as shown in Fig. S) 
The backward proof-search strategy is the same as that of Sec. 13.21 except 
the transitional rule applications now reads as below: 

transition: else choose a or >-formula from the succedent and apply 
-» i? or oR, backtracking over these choices until a derivation is found 
or all choices of principal formula have been exhausted. 

So if the given sequent is h A^ , (l>^ , Ej. and A^ contains m formulae and 
contains n formulae, then in the worst case we must explore m premise instances 
oi R and n premise instances of >R. 
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■" Si,0^,r^hip^iP,A-^,<P^,Er ^ ^ Ei,0^,r^h>^,A-^,<P^,Er 

where J means that the following conditions hold: 

(Cl): A ^ Si and T ^ Sr and the conclusion is not an instance of id 

(C2): Si and Sr contain only atomic formulae (i.e. the conclusion is saturated) 

Fig. 4. Transitional rules for logic KM 


Theorem 4.1. The rules -» R and [>R are sound for the logic KM. 

Proof. Suppose the conclusion of rule -» i? is refutable at world w in some model 
M. Thus there is a strict i?-successor v oi w which is a last refuter for ip ^ if: 
that is, M^v Ih p and M, u \f ip and M,v \\- p ^ ip. The other formulae from 
the antecedent of the conclusion are also true at v by truth-persistence, and for 
every —»-formula true at w, we also have its —>■-version true at v, and likewise 
for >-formulae. The proof for the oR rule is similar. 

Termination follows using the same argument as for SKM^n- However the 
new rules are not semantically invertible, since we have to choose a particular 

or O-formula from the succedent of the conclusion and discard all others 
when moving to the premise, yet a different choice may have given a derivation 
of the conclusion. Thus these rules require the backtracking which is built into 
the new transition part of our proof search strategy. 

Lemma 4.2. If a sequent s obeys the | conditions and every premise instance 
obtained by applying the rules R and |>R backwards to s is not derivable, then 
the sequent s is refutable. 

Proof. We proceed by induction on the maximum number k of applications of 
the transitional rules in any branch of backward proof search for s. 

Base case fc = 0: if s obeys the | conditions but contains no -»-formulae and 
contains no O-formulae in its succedent, then no rule at all is applicable to s 
and so s is refutable as already shown in the proof of Thm. 13.121 

Base case fc = 1: if s obeys the | conditions and the proof-search involves at 
most one application of the transitional rules in any branch, then each premise 
instance of s leads upwards to at least one non-derivable leaf sequent to which 
no rule is applicable. This leaf is again refutable as shown in the proof of The¬ 
orem 13.121 The Inversion Lemmas then allow us to conclude that the premise 
instance itself is refutable since all rule applications in this branch must be static 
rules. Thus each premise instance tt^ of s under the transitional rules is refutable 
in some world Wi in some model Mi. Let wq be a new world and put wgRwi for 
every Wi and put wqRw for each w which is an -successor of any Wi in any 
model Mi, and put wq G d(p) iff p is in the antecedent of s. The new world wq 
makes every atomic formula in the antecedent of s true and makes every atomic 
formula in the succedent of s false. There are no conjunctions or disjunctions or 
—^-formulae in s. Every p ^ ip in the antecedent of s appears in the antecedent 
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of every premise instance as tp, so each Wi makes <p ^ ip true, and 

hence wq makes ip ^ ip true. Every \>ip in the antecedent of s appears in the 
antecedent of every premise instance and so does ip, so each Wi makes ip true, 
and hence wq makes >ip true. For every -»-formula p —»■ ip in the succedent of s, 
the premise instance tt^ corresponding to a — » i?-rule application with p —n ip as 
the principal formula will contain p in its antecedent and contain ip in its succe¬ 
dent. The corresponding world Wi will make p true and make ip false, meaning 
that Wo will falsify p —»■ ip. Similarly, for every l>-formula t>ip in the succedent 
of s, the world Wj obtained from a oR-rule application with t>ip as the principal 
formula will falsifiy ip, meaning that wq will falsify t>ip. Thus wq will refute s as 
claimed. 

Induction case k + 1 for k > 0: The induction hypothesis is that the lemma 
holds for all sequents s that obey the ^-conditions and whose proof-search in¬ 
volves at most k applications of the transitional rules in any branch. 

Now suppose that s obeys the f-conditions and the backward proof search 
for s contains fc -|- 1 applications of the transitional rules. Consider the bottom¬ 
most application of the transitional rules (if any) along any branch ending at 
a premise instance tt of s. Suppose the conclusion sequent of this bottom-most 
application is c. This application falls under the induction hypothesis and so 
c must be falsifiable in some model. The rules between c and tt are all static 
rules, if any, and so are semantically invertible, meaning that the sequent tt 
must be falsifiable in some model. Thus each premise instance of s under the 
transitional rules is refutable in some world Wi in some model Mi. The same 
construction as in the base case for k = 1 suffices to deliver a model and a world 
that refutes s as claimed. 

Corollary 4.3. If the end-sequent Fq b Aq is not derivable using backward proof 
search according to our strategy then Fq h Z\o is refutable. 

Corollary 4.4. If po is KM.-valid then h po is SKM-derivable. 

As for KMiin, our proofs yield the finite model property for KM as an im¬ 
mediate consequence, although for KM this is already known [25] . 

5 Related Work 

Ferrrari et al [14] give sequent calculi for intuitionistic logic using a compartment 
0 in the antecedents of their sequents 0;F h A. This compartment contains 
formulae that are not necessarily true now, but are true in all strict successors. 
Fiorino [15] gives a sequent calculus using this compartment for LC. This yields 
linear depth derivations, albeit requiring a semantic check which is quadratic. 
Both [14115] build in aspects of G6del-L6b logic by allowing (sub)formulae to 
cross from the succedent of the conclusion into the compartment 0. Our calculus 
differs by giving syntactic analogues l> and ^ for these meta-level features, and 
by requiring no compartments, but it should be possible to adapt these authors’ 
work to design sequent calculi for KMjiji with linear depth derivations. 
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Restall [28] investigates “subintuitionistic logics” where each of the conditions 
on Kripke frames of reflexivity, transitivity and persistence can be dropped. The 
logic of our novel connective -» can be seen as the logic bka, which lacks reflexiv¬ 
ity, but has the additional conditions of linearity and converse well-foundedness, 
which Restall does not consider. The models studied by Restall all require a 
root world, and thus they disallow sequences • • • X 3 RX 2 RX 1 which are permitted 
by KMiin-models. Ishigaki and Kikuchi [19] give “tree-sequent” calculi for the 
first-order versions of some of these subintuitionistic logics. Thus “tree-sequent” 
calculi for KM and KM;irt are possible, but our calculi require no labels. 

Labelled sequent calculi for KM and KMun are possible by extending the 
work of Dyckhoff and Negri m but termination proofs and complexity results 
for labelled calculi are significantly harder than our proofs. 

Garg et al [16] give labelled sequent calculi for intuitionistic modal logics and 
general conditions on decidability. Their method relies on a first-order character¬ 
isation of the underlying Kripke relations, but converse well-foundedness is not 
first-order definable. Labelled calculi can handle converse well-founded frames by 
allowing formulae to “cross” sides as in our calculus, but it is not clear whether 
the method of Garg et al m then applies. 

Our complexity results follow directly from our calculi; a possible alternative 
may be to adapt the polynomial encoding of LC into classical satisfiability [8] . 

6 Conclusion 

We have seen that the internal propositional logic of the topos of trees is KMun. 
Indeed it may be tempting to think that KM;i„ is just LG, as both are sound 
and complete with respect to the class of finite sequences of reflexive points, but 
note that we cannot express the modality > in terms of the connectives of LC. 

Linear frames seem concordant with the step-indexing applications of later, 
based as they are on induction on the natural numbers rather than any branching 
structure, but seem less natural from a types point of view, which tend to build 
on intuitionistic logic. For a possible type-theoretic intepretation of linearity 
see Hirai’s A-calculus for LC with applications to ‘waitfree’ computation HU. 
More broadly our work provides a proof-theoretical basis for future research 
into computational aspects of intuitionistic G6del-L6b provability logic. 

The topos of trees, which generalises some previous models, has itself been 
generalised as a model of guarded recursion in several ways wm - These cate¬ 
gories do not all correspond to KM^™; some clearly fail to be linear. The logical 
content of these general settings may also be worthy of study. 

The most immediate application of our proof search algorithm may be to 
provide automation for program logics that use later P I2|9] - Support for a 
richer class of connectives, such as first and higher order quantifiers, would be 
desirable. We in particular note the ‘backwards looking box’ used by Bizjak and 
Birkedal [^ in sheaves over the first uncountable ordinal wi, and subsequently 
in the topos of trees by Glouston et al [9] to reason about coinductive types. 
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